Over the past year, I’ve moved more and more of my data over to the cloud — in particular, to being stored with Google. I’m rethinking that, in the wake of Google’s statement that it was the target of a sophisticated hacking attack. Further, I’m wondering if this entire episode — GoogleHack, for want of a better name — will develop into a major reversal for the growth of cloud computing.
Living In The Cloud
For those not up on the term, “cloud computing” is a reference to the idea that your programs and data live on the internet rather than on your computer. Need to write a letter? You don’t install Microsoft Word, then compose the letter and save it to your computer’s hard drive. You open your browser, go to Google Docs, create the letter there and save it to be stored with Google.
The internet is the “cloud,” and by letting everything live within it, you’re promised great benefits. That file you need? As long as you can get online, it’s available to you. You can get it from your laptop, a friend’s computer or from your cell phone. It’s even backed up for you. And painful software installations? Forget about it! When’s the last time Gmail said it needed to download a security update to your computer and then prompted you to restart after it was finished?
Cloud Computing, Google & Being A Big Target
Enticing. Seductive. What’s not to love? And Google has built a huge part of its business around the idea that we should trust both the cloud computing concept and Google itself. Just this week, the company announced 1GB of storage for any type of files. The hacking attacks call that all into question more than anything I can think of before.
What do we know so far? Google only tells us that there was a “highly sophisticated and targeted attack” on its “corporate infrastructure” that resulted in the theft of “intellectual property.” What’s that mean, exactly?
Well, one report now out from IDG is that Google apparently maintains a system to monitor or collect data about users in case it is served with a search warrant — and that the hackers got into that system. An anonymous source is quoted saying:
Right before Christmas, it was, ‘Holy s***, this malware is accessing the internal intercept [systems]
Hmm. I’ve often joked with people that there’s a secret room deep under the Googleplex that houses two people who do nothing but watch everything that goes on through Google’s servers. Sworn to secrecy, their job is to defend the data, no matter what. And if one of them should go crazy, why the other one is there armed and willing to take action, kind of like those in nuclear weapons silos. You remember the movie War Games, right?
Well, I guess it’s not so much a joke. While on the one hand, I can see why Google would want to create such a system, it’s also blindingly obvious what a potential target it would be for hackers. Moreover, it simply highlights what a target Google itself is.
Most criticism over the years about Google and data that it collects or stores has focused on the idea that Google itself would be the bad actor. Google would go evil and spy on everything you do. In reality, it may be external parties that we should be most worried about.
Google: The New Windows, With All The Viruses?
Consider the “old” computer model. Windows is the most popular operating system out there. Despite Microsoft running it, there have been no major examples I can think of where Microsoft has been found to have collected data through that operating system that has later leaked out. However, Windows is also the operating system that to my knowledge is most prone to virus and malware attacks. Because so many people use it, Windows itself sits on individual computers as a big target begging to be attacked by external parties.
Google is the new operating system for many people. Indeed, the coming Google OS will literally make Google into an operating system, where you’ll access Google services (as well as the rest of the web) through a Google browser. Google is our computer, where we get our email, store our documents, leave our spreadsheets and much more. All that data, just sitting over there. A big huge target, begging to be attacked.
This Was A Cloud Computing Attack
Google has and will continue to assure us that everything is safe. Indeed, on the same day it made the announcement about the hacking attempts, it had a separate blog post specifically assuring us that cloud computing remained secure:
This was not an assault on cloud computing. It was an attack on the technology infrastructure of major corporations in sectors as diverse as finance, technology, media, and chemical. The route the attackers used was malicious software used to infect personal computers. Any computer connected to the Internet can fall victim to such attacks. While some intellectual property on our corporate network was compromised, we believe our customer cloud-based data remains secure.
While any company can be subject to such an attack, those who use our cloud services benefit from our data security capabilities. At Google, we invest massive amounts of time and money in security. Nothing is more important to us. Our response to this attack shows that we are dedicated to protecting the businesses and users who have entrusted us with their sensitive email and document information. We are telling you this because we are committed to transparency, accountability, and maintaining your trust.
I bolded the key part which frankly is wrong. It was very much was an attack on cloud computing, as Google’s main blog post made clear. Hackers went after Gmail accounts, not just through malware-infected computers but directly by targeting Google, that post told us. Gmail — your email, stored in the cloud. That’s an attack on cloud computing.
Remember, before Gmail came, you didn’t leave your email sitting in the cloud for very long. It cost you money to do so. You downloaded it to your own computer and deleted it from the cloud. Gmail ended all that, assuring people they need never delete anything again.
What Exactly Got Taken?
So spare me the suggestion this wasn’t an attack on cloud computing. Reassure me another way, such as telling me in the main post that only “limited” data got out about two Gmail accounts “such as” the subject line of emails in those accounts.
No worries then, because you know that subject lines never have any revealing info in them. Or that in Gmail, subject lines often include a little bit of the opening part of the email itself. And next to the subject line, the sender is listed. Was that information seen?
Remember me putting “such as” in quotes? That’s because Google only specifically described two types of the “limited” data that was seen. What else might have been viewed remains completely open to speculation.
Still, let’s say we completely trust that this time, Google fended off the nasties. What about next time? Because there’s sure to be a next time. Will it be successful then?
The Human Weakness
Also note that Google’s apparently investigating if there were insiders involved — people within Google assisting with this. Even if that’s not true this time, again, what about next time? Google employs thousands of people. Unlike early Googlers, the new folks are not getting incredibly wealthy. Can they be bribed? Might some look around out of curiosity? Goodness, do we now have to worry that government agents from any country (including those from the US) might go undercover to gain access? Hand me my tinfoil hat! Except it’s not sounding so crazy, anymore.
Meanwhile, the specter of human mistakes still linger. Last week, Google emailed an undisclosed number of people information about businesses that they had no connection with. How’d that happen? Human error. Woah — what type of human error? Exactly how did that screw up happen? Sorry, Google’s not talking more in public about that.
We Got The Censorship Angle, Now Back To Data Security
It’s time for the stories to start shifting. Google gets hacked, so it reacts by deciding to no longer censor. As a result, the coverage so far has been largely about how that change will impact Google’s business prospects in China.
The focus really should get back on the issue of Google being hacked. I’m as glad as many people are that Google’s going to stop censoring. I also don’t think Google purposely made the anti-censorship move and announcement to distract from the issues that being hacked raises. But that indeed needs much more attention.
And what to do. Pull all your data down? That’s a personal decision. I love having my email easy to search by being in the cloud. But I’m not sure I want to start uploading my financial documents. I’m less certain that I want to have company documents sitting out there. I’m kind of thinking in the era of cheap hard drives, I might just do more carrying around my own little cloud with me. Encrypted, of course!
Ironically, such a shift could also make data less safe. Will we get back to the days when people routinely emailed files back and forth through unsecured email connections? There’s also a need for perspective. You’re probably far more at risk of having your data exposed by using a weak password than through government-backed hacking attempts.
Still, the cloud lost some trust this week. I think more trust will be lost as further details emerge — and that’s not just for Google but for any company offering cloud computing. How that trust will be rebuilt, for Google, depends on how forthcoming the company is about what happened, what got out and why we should really feel secure against future attempts.